【摘要】：近年來(lái),APT攻擊席卷全球,面向工控領(lǐng)域的APT攻擊直接對(duì)關(guān)系國(guó)計(jì)民生的關(guān)鍵基礎(chǔ)設(shè)施進(jìn)行破壞。自2010年伊朗布什爾核電站遭到震網(wǎng)病毒的攻擊以來(lái),針對(duì)工業(yè)控制領(lǐng)域的APT攻擊已經(jīng)成為各個(gè)國(guó)家安全機(jī)構(gòu)、工業(yè)控制行業(yè)和該領(lǐng)域?qū)＜覍W(xué)者的關(guān)注熱點(diǎn)。結(jié)合典型“震網(wǎng)病毒”案例的攻擊特點(diǎn)和現(xiàn)有工控領(lǐng)域安全的文獻(xiàn)研究,本文主要關(guān)注工業(yè)控制領(lǐng)域ICS系統(tǒng)特有的攻擊類(lèi)型:在網(wǎng)絡(luò)通信數(shù)據(jù)包格式完全正常的情況下,仍會(huì)出現(xiàn)基于順序或基于時(shí)間的序列攻擊。本文提出一個(gè)基于離散馬爾科夫鏈的層次化的時(shí)序感知入侵檢測(cè)系統(tǒng),分為數(shù)據(jù)處理和入侵檢測(cè)兩部分。數(shù)據(jù)處理部分使用Snort入侵檢測(cè)軟件,對(duì)基于Modbus協(xié)議的工控網(wǎng)絡(luò)數(shù)據(jù)進(jìn)行捕獲并過(guò)濾,將過(guò)濾后的數(shù)據(jù)根據(jù)Modbus協(xié)議數(shù)據(jù)特性進(jìn)行提取,結(jié)合馬爾科夫鏈將提取后的數(shù)據(jù)抽象為狀態(tài)和跳轉(zhuǎn)關(guān)系,建立馬爾科夫模型。在入侵檢測(cè)部分,本文首先針對(duì)ICS系統(tǒng)特有的基于順序和基于時(shí)間的序列攻擊進(jìn)行分類(lèi),并根據(jù)需要檢測(cè)的類(lèi)別提出異常檢測(cè)算法。根據(jù)ICS系統(tǒng)控制網(wǎng)絡(luò)中數(shù)據(jù)特點(diǎn),在數(shù)據(jù)重要性、數(shù)據(jù)語(yǔ)義和數(shù)據(jù)規(guī)律三個(gè)方面,對(duì)異常檢測(cè)算法進(jìn)行改進(jìn),使入侵檢測(cè)系統(tǒng)的誤報(bào)率明顯降低且能夠區(qū)分入侵行為和可疑的安全行為。最后,本文通過(guò)實(shí)驗(yàn)室搭建的ICS系統(tǒng)模擬環(huán)境對(duì)本文提出的序列感知入侵檢測(cè)系統(tǒng)進(jìn)行測(cè)試。結(jié)果顯示,改進(jìn)后的算法相比于改進(jìn)前的算法能夠有效降低誤報(bào)率,且有更高的檢測(cè)效率和精確度。
[Abstract]:In recent years, APT attacks all over the world, the industrial control field of APT attacks directly to the national economy and people's livelihood of the key infrastructure damage. Since the nuclear power plant in Bushehr, Iran was attacked by earthquake net virus in 2010, the APT attack in the field of industrial control has become the focus of attention of various national security agencies, industrial control industry and experts and scholars in this field. Combined with the attack characteristics of typical "earthquake net virus" cases and the existing literature research in the field of industrial control, this paper mainly focuses on the specific attack type of ICS system in the field of industrial control: under the condition that the packet format of network communication is completely normal, Sequence-based or time-based attacks will still occur. This paper presents a hierarchical temporal aware intrusion detection system based on discrete Markov chain, which is divided into two parts: data processing and intrusion detection. The data processing part uses Snort intrusion detection software to capture and filter the industrial control network data based on Modbus protocol, and extracts the filtered data according to the characteristics of Modbus protocol data. Combined with Markov chain, the extracted data is abstracted as state and jump relation, and Markov model is established. In the part of intrusion detection, this paper firstly classifies the sequence-based and time-based attacks of ICS system, and proposes an anomaly detection algorithm according to the categories of detection. According to the characteristics of data in the control network of ICS system, the algorithm of anomaly detection is improved in three aspects: data importance, data semantics and data regularity. The false positive rate of intrusion detection system is obviously reduced and the intrusion behavior and suspicious security behavior can be distinguished. Finally, this paper tests the sequence-aware intrusion detection system based on the simulation environment of ICS system built in the laboratory. The results show that the improved algorithm can effectively reduce the false positive rate, and has higher detection efficiency and accuracy than the improved algorithm.
【學(xué)位授予單位】：哈爾濱工程大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2016
【分類(lèi)號(hào)】：TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 劉金;;工業(yè)控制網(wǎng)絡(luò)防火墻協(xié)議防護(hù)模塊測(cè)試研究[J];自動(dòng)化應(yīng)用;2015年04期

2 尚文利;張盛山;萬(wàn)明;曾鵬;;基于PSO-SVM的Modbus TCP通訊的異常檢測(cè)方法[J];電子學(xué)報(bào);2014年11期

3 郭強(qiáng);;工控系統(tǒng)信息安全案例[J];信息安全與通信保密;2012年12期

相關(guān)碩士學(xué)位論文 前2條

1 高春梅;基于工業(yè)控制網(wǎng)絡(luò)的流量異常檢測(cè)[D];北京工業(yè)大學(xué);2014年

2 洪飛龍;數(shù)據(jù)挖掘技術(shù)在入侵檢測(cè)中的應(yīng)用研究[D];西南交通大學(xué);2005年

，

本文編號(hào)：2464817